Jump to content
Tuts 4 You

Leaderboard

  1. kao

    kao

    Full Member+


    • Points

      227

    • Content Count

      2,465


  2. Teddy Rogers

    Teddy Rogers

    Administrator


    • Points

      133

    • Content Count

      9,090


  3. Xyl2k

    Xyl2k

    Full Member


    • Points

      119

    • Content Count

      186


  4. CodeExplorer

    CodeExplorer

    Moderator


    • Points

      117

    • Content Count

      3,136


Popular Content

Showing content with the highest reputation since 06/13/2020 in all areas

  1. awesome_msil_Out.exe Approach: 1. Necrobit is a jit protection, so we use Simple MSIL Decryptor by CodeCracker , and it shall be ran on NetBox 2. Code virtualization is a relatively new feature of .net reactor, added in version 6.2.0.0. Here is the approach i took (i did this about 6 months ago so my memory is kinda rusty ) : (Click spoiler to see hidden contents)
    12 points
  2. Here are some of my keygen/crack GFX's / templates i've made on photoshop + WinASM studio these days : (1) https://imgur.com/vS71RaO (2) https://imgur.com/3fWUf30 (3) https://imgur.com/5YfB8Xg (4) https://imgur.com/2Bt54Ne (5) https://imgur.com/fDC4FfK (6) https://imgur.com/p4TBQ4J (7) https://imgur.com/gNOgPnR (8) https://imgur.com/vkwSQ01 Please note that PERYFERiAH team is not a warez group. It is actually a vlogging team since i was making vlogs in high school in the past. And the people of the PERYFERiAH (PRF for short) were actually my
    11 points
  3. So you want to download some releases from snd? alright let's see at snd.webscene.ir, the distribution section menu contain a link pointing at hxtps://keygens.pro/ Super, looks like there a lot of cracks over here! and the site is virus free, right? So let's pick something, i don't know, maybe 7-Data.Card.Recovery.1.1.keygen-SND hxtps://keygens.pro/crack/729775/ lol @ description on the page, didn't know reagan was from snd and born in russia Anyway we got redirected on a download page after clicking 'Download only Keygen' button, we have to fill a captcha and agree
    11 points
  4. Tango down for 109.201.133.80 (keygens.pro, serials.be, crack.ms) Meanwhile, 54.36.184.139 (crackinns.com, torrentheap.com, crackheaps.com, cracknets.net, cracksnet.net, cracknet.net, keygenit.net, keygenom.net, cracksgurus.com, keygenninja.com, serialms.com, mackeygens.com, mediagetsite.com, get.ziplink.xyz, get.ziplink.stream) are still spreading malware. Abuse sent too, but nothing followed for the moment, so here is some insight about their infra in the meantime (when all else fails, crowbar the fornicationer) Embedded mini-admin panel to administrate the fake sites, allow t
    10 points
  5. 23,882 downloads

    A collection of tutorials aimed particularly for newbie reverse engineers. 01. Olly + assembler + patching a basic reverseme 02. Keyfiling the reverseme + assembler 03. Basic nag removal + header problems 04. Basic + aesthetic patching 05. Comparing on changes in cond jumps, animate over/in, breakpoints 06. "The plain stupid patching method", searching for textstrings 07. Intermediate level patching, Kanal in PEiD 08. Debugging with W32Dasm, RVA, VA and offset, using LordPE as a hexeditor 09. Explaining the Visual Basic concept, introduction to SmartCheck and configurati
    9 points
  6. Hello, I unpacked the file completely (including VM). Here is how I did it (simplified a bit): 1. After a bit of analysis we can notice that Agile.NET hooks into the Just In Time compiler in order to restore the method code. This can be undone by hooking into the JIT before Agile.NET. 2. Update de4dot to be able to remove simple protections like string encryption, control flow, and reference proxy. This just requires you to update some detections. 3. Spend some time analyzing Agile.NET VM, we find out that it's VM is somewhat different to others as it creates "combined" handlers
    9 points
  7. No, it really isn't. It stops 10-year olds from running ready made tools, and that's about it. Password is: There are 3 ways to solve it: Easy way (1/10) : open file in hex editor, check the strings and find solution there. Slightly harder (2/10): run crackme under any tracer/profiler, see what functions it calls, see correct string as one of the parameters. "Extremely hard" (3/10): open DnSpy and Visual Studio and fix OldRod source code. You'll need like 5 minutes for that. 1) Compare original KoiVM method handlers with DiamondVM method handlers:
    9 points
  8. Necrobit To mess up the old de4dot implementation, the .Net reactor changed the P / Invoke methods, but for the unpack, you can use the SMD from Code Cracker, which will do an excellent job of this. Control Flow To break de4dot.blocks, ezriz added a number of instructions to the flow cases, which de4dot cannot process, it's easy to fix it, just repeat after me) String Encrypt Ezriz changed the resource encryption algorithm for strings, which messed up the old decryptor implementation. This problem is solved by dynamic emulation of the method, with
    7 points
  9. I just published my own write-ups on my GitHub, if anyone is interested https://github.com/Washi1337/ctf-writeups/tree/master/FlareOn/2020
    7 points
  10. Fun challenge. I went for finding just the key algorithm rather than fully devirtualizing, but the code is pretty clear. Here some sample keys: Approach: Keygen.7z
    7 points
  11. Sure, i gonna release a unpacker for net reactor 6x soon.
    7 points
  12. This code and accompanying article is worse than most ConfuserEx mods written by script kiddies... Where do I start? Holy f*ck, have you ever heard of things you should never ever do inside DllMain? Loading another DLL from DllMain is one of the basic ones - it virtually guarantees a deadlock. "DLL hook"... You mean DLL name? Like, I don't know... a string? Not since year 2018... And it's called "Detours" And the cherry on the top! Just 4 problems in 9 lines of code! Must be a world record or something! 1) if CreateRemoteThread fails, ch
    7 points
  13. it seems they using a stolen version of DNGuard Enterprise and made a cloud version of it! so it's a DNG 3.9.6.2 Enterprise and almost none of options are true here is the password: approach: unpacked file attached. B.R Unpackme_cleaned.exe
    6 points
  14. Oh I didn't try to be mean. It was just a feeling that I had while solving the challenge. I guess it was late in the night when I wrote this reply, which might made my post seem a little bit aggressive. Don't get me wrong, I really enjoyed reversing this challenge. Bruteforce challenges are just not really my cup of tea Anyway, I just pushed my full write-up with all scripts and dumps to my GitHub: https://github.com/Washi1337/ctf-writeups/tree/master/Miscellaneous/tuts4you/ClumsyVM
    6 points
  15. @XenocodeRCE: I have a huge respect for you as a RE guy but now you're just being a d*ck. If you have some personal issues with mamo/localhost0/whatever he calls himself this week, please resolve them privately and don't make a huge public drama out of it. No matter how I count, it's 3 months and 2 days max. If you're gonna whine, at least get your facts right. Umm, no. The requirement from law is to react on any reported copyright infringements, not to actively run around and search for any possible issues. See DMCA 512(c). So, if admins ignored a properly re
    6 points
  16. https://mega.nz/file/xgonHADA#6-giBWOZXfODm7sLFAMzuCH9L2uQz4sL_9NNBlDkLTM - for those who don't want to fill in the stupid questionnaire with company email address, job position and what not. https://mega.nz/file/Nt4xSaoK#jRcuuuM2vS77DM9Y-KuT4UQUKiYIEl0KkKd6Cp9t7hE - code samples that TheHackersNews forgot to include. Book tries to cover very wide area of topics - from Windows to .NET to Linux, IoT, iOS, Android and shellcodes. By doing so, it fails to cover any of the topics in sufficient details. So, it's a "Jack of all trades, master of none".
    6 points
  17. https://github.com/ribthegreat99OrN0P/Agile.NET-Deobfuscator @GameHackerPM @BlackHat To fix delegates, controlflow, and strings here yous go ive made a tool with many comments to help you understand!
    6 points
  18. Are you absolutely sure this is doable without bruteforce? After spending some hours on analyzing and devirtualizing, this crackme feels very much like a "guess-what-the-author-wanted-you-to-do" challenge, rather than an actual reverse engineering challenge where we have to infer the password based on the code. In the spoiler some more detailed info of why I think this is the case. EDIT:
    5 points
  19. For those interested, I have installed a new dark theme and deleted the others. Scroll to the bottom of the page to find the option to change themes... Ted.
    5 points
  20. Happy New Year 2021 For All members
    5 points
  21. Happy New Year and welcome to 2021! I hope we have a better year than 2020 and we get back to some normality... Ted.
    5 points
  22. 5 points
  23. Info: https://www.reddit.com/r/windowsxp/comments/iz46du/the_windows_xp_source_code_has_been_leaked_on/ Most of the torrent includes previous leaked data/files. But now claims to include the full source to Windows XP (looks like SP1 based on pics people have posted). If you plan to download this (42gig torrent) I'd seriously recommend a VPN.
    5 points
  24. Regexps are not particularly efficient here and simple string operations work much better. Anyways, I made a writeup on my blog (https://lifeinhex.com/deobfuscating-autoit-scripts-part-2/) and made a copy-paste below. Unfortunately, all the hyperlinks are gone and I just can't be bothered to go through each and every one of them. Also - it refers a lot to my old solution of another AutoIt crackme, so I really suggest to check that writeup as well: --------- Almost 4 years ago, I wrote a blogpost about deobfuscating a simple AutoIt obfuscator.
    5 points
  25. A Complete Article - https://back.engineering/17/05/2021/ Download Link - https://githacks.org/vmp2 Author - https://githacks.org/_xeroxz
    4 points
  26. Very simple example, just to show the idea.. static void Main(string[] args) { using (var module = ModuleDefMD.Load(args[0])) { foreach (var type in module.GetTypes()) { foreach (FieldDef field in type.Fields) { // this will change all string constant values to "kao". Make sure to fix the `if`!!! if (field.HasConstant && field.ElementType == ElementType.String) { field.Cons
    4 points
  27. There's the WinDivert library which allows you do all of this. WinDivert is in C but there are bindings for bindings for Python & C#. You can check the source code of Clumsy which uses utilizes WinDivert to selectively modify the packets. It's in C. There's also the now discontinued flare-fakenet-ng which uses the Python bindings - pydivert. https://reqrypt.org/windivert.html http://jagt.github.io/clumsy/ https://github.com/fireeye/flare-fakenet-ng
    4 points
  28. finally my new effect has arrived and it's called "Crazy Word 0.1" by x0man , although it's ripped (with a little bit of help from KesMezar) to get the gradient color squares on the aboutbox bg , you must cut from a template using Mspaint (or perhaps just use some colored/gradiented image) , save it as JPG , and then you should insert 0Ah on these codes : mov var_4,0 push 0CC0020h; color for solid background i think .. push 0Ah ;0C8h picture height (200) push 0Ah ;190h picture width (400) push
    4 points
  29. 4 points
  30. That is it. Or c:\:$i30:$bitmap inside of a shortcut file would do the job. This will cause immediate corruption in Win10 builds 1803 or later. It will cause prompts to reboot to repair the disk and then chkdsk on boot will be unable to repair. This sounds quite dangerous as it makes downloading zip or rar archives and extracting them potentially harmful if they contain such a shortcut .lnk in them. https://www.bleepingcomputer.com/news/security/windows-10-bug-corrupts-your-hard-drive-on-seeing-this-files-icon/
    4 points
  31. I will release an update for the tool which allows the skipping of metadata writing errors!
    4 points
  32. Get your tools ready!
    4 points
  33. I also have to say that i'm impressed by the result. Excellent indeed. Since there is knowledge and maybe tools, sharing the method or the tools (as @SychicBoy did for his control flow deobfuscator) would be great for the community. Personally, in solving the challenge, when dealing with this kind of obfuscators, I hook UnsafeInvokeInternal and get the result, This indeed works. In this case the challenge are simple so reversing the logic is also. However to properly reconstruct the assembly a different approach is obviously needed. About the Necrobit protection, what maybe
    4 points
  34. awesome.vmp35_cracked.exe Every other portion of VMP is removed including CRC etc check. But still it will not run until we fix Delegates. It is still left
    4 points
  35. 4 points
  36. 1,647 downloads

    I want to release a new tutorial about the popular theme Themida - WinLicense. So I see there seems to be still some open questions mostly if my older unpack script does not work anymore and the unpacked files to, etc. So this time I decided to create a little video series on how to unpack and deal with a newer protected Themida target manually where my older public script does fail. A friend of mine did protect unpackme's for this and in the tutorial you will see all steps from A-Z to get this unpackme successfully manually unpacked but this is only one example how you can do it, of course. S
    4 points
  37. fixed in v1.7 https://githacks.org/vmp2/vmemu/-/releases/v1.7 (make sure your commandline arguments are also correct)... Also be aware that vmemu currently does NOT support dumped modules as it uses LoadLibraryExA - DONT_RESOLVE_DLL_REFERENCES to load the module... Support for dumped modules will come very shortly, as well as an auto unpacking/drag & drop project.
    3 points
  38. Installing SEH handler or calling IsBadReadPtr are trying to deal with the symptoms (crash), not the cause of ther problem (bad pointer to buffer, bad data in buffer or whatever). Don't just hide the problem - find the real cause of the problem instead.
    3 points
  39. You just didn't read MSDN properly. See https://docs.microsoft.com/en-us/windows/win32/api/winuser/ns-winuser-drawitemstruct (emphasis mine): Value 0x301 decodes as ODS_NOFOCUSRECT | ODS_NOACCEL | ODS_SELECTED. The correct way for checking such flags is by using "and" or "test" operation, just like Tonyweb's code does. Your code comparing byte value will fail, for example, on flags ODS_DEFAULT | ODS_SELECTED or anything like that..
    3 points
  40. include bcrypt.inc includelib bcrypt.lib GenRandom PROTO GenRandom PROC LOCAL dwRandom:DWORD mov dwRandom, 0 Invoke BCryptGenRandom, NULL, Addr dwRandom, 4, BCRYPT_USE_SYSTEM_PREFERRED_RNG ;0x00000002 mov eax, dwRandom ret GenRandom ENDP
    3 points
  41. It's all explained in the document you linked to: https://www.cplusplus.com/reference/cstdlib/rand/ This algorithm uses a seed to generate the series, which should be initialized to some distinctive value using function srand. and later in the example: /* initialize random seed: */ srand (time(NULL)); /* generate secret number between 1 and 10: */ iSecret = rand() % 10 + 1; That's the most common approach - initializing random number generator with the current time or output of rdtsc instruction. Using counter like you suggested is not a good idea. Instead,
    3 points
  42. Take my advice... A hard drive is definitely not something to try to save your money upon. You can see how much time you wasted trying to recover the last one? Just not worth it, in my opinion. Avoid seagate drives. They are well known to fail suddenly. Western Digital ones are a lot more reliable. Go for the SERVER versions of the drives if possible (I know, some say that they should not be used for home purposes) but in my experience they last far longer and are more reliable than the usual consumer grade ones. Check out the color codes of Western Digital drives here: htt
    3 points
  43. Those guys must be politicians, the way they justified their dictatorship in removing, it is funny I'm happy it's back, kinda gives a tiny hope that people can still make a change.
    3 points
  44. After spending three days i m still stuck at 4th challenge now i understand what it mean to be a reverse engineer. May be i will not solve all(or may be even the half of them) the challenge but i still try my best till the last day.
    3 points
  45. What I find of most interest is the API index and any documentation that exist. Line comments in the code can tell you a lot about what was going on internally within Windows. I recall chuckling over things like this in code comments, "Certain lame apps (Norton Desktop setup)"... Ted.
    3 points
  46. First of all, this crackme is version dependent, it only works with Python 3.8 x86. I don't have it installed, so I had to replace _pytransform.dll with the x64 equivalent downloaded from here to be able to run it with my x64 version of Python 3.8. By looking in the memory of python.exe and placing hardware breakpoints on write on an encrypted code of PyArmor (that starts with \x50\x59\x41\x52\x4d...) we can find a place in _pytransform.dll where it decrypts it to the actual marshalled code object of Python. It is a function at RVA 0x254D0. Then we have to deal with the second layer of Py
    3 points
  47. Since the challenge description allows it, I'm going for the quick serial fish for now Approach:
    3 points
  48. _PyEval_EvalFrameDefault executes a code object on the Python frame. To dump the code object to a file you need to use PyMarshal_WriteObjectToFile / PyMarshal_WriteObjectToString at an appropriate place within the function. DnSpy has nothing to do with Python. It's just a piece of string inserted there on purpose.
    3 points
  49. This is really the key point that probably should be the requirement for a post to be accepted. A solution should be reproducible, not a list of private tools that are used. Private tools are, as their name implies, private, and by definition that means it is everything but reproducible (unless this tool is shared with the reader of the solution). The only person benefiting from such a reply is the respondent themselves in the form of an ego boost. Not very productive if you'd ask me.
    3 points
  • Newsletter

    Want to keep up to date with all our latest news and information?
    Sign Up
×
×
  • Create New...